Forgot your password?

Comment: Re:Why is this a bash bug? (Score 2) 326

by dkf (#48019333) Attached to: Bash To Require Further Patching, As More Shellshock Holes Found

Why does bash have to worry about security?

Because if it is installed as /bin/sh (fairly common), it gets called in a great many places because of the OS APIs system() and popen(), which are both defined to use /bin/sh on Unix. Much of the reporting about it has been more than a little breathless, but that's journalists for you.

Not everything is vulnerable. CGI is not inherently vulnerable (it could use execve() directly) and the called code need not use bash ever. But it's still a serious problem as anything that explicitly requires bash is also definitely broken: we want it fixed ASAP. (A start would be to never process environment variables for function definitions during startup, especially when running as /bin/sh...)

Comment: Re:"could be worse than Heartbleed" (Score 1) 317

by dkf (#47997723) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Outside of malicious HTTP headers landing in environment variable in CGI land, I'm hard pressed to think of another reasonable vector for this bug to be a problem...

To be fair, with a moderately competent CGI implementation, the subprocess will start just fine. The problem comes with whatever that subprocess calls, since environment variables are inherited by default. The deeper you go, the greater the likelihood that some programmer will have used system() or popen(), or even flat-out implemented the process as a shell script.

Comment: The OP video was wrong (Score 1) 132

by DoofusOfDeath (#47995267) Attached to: Euclideon Teases Photorealistic Voxel-Based Game Engine

Early in the video, the narrator said "our eyes just know that these (shown on the screen) videos are real", with the point being that later on he was going to surprise us that they were in fact renditions by his product.

But when I was looking at those images, I was actually thinking that they didn't look real to me. For some reason, I found myself thinking of Half-life 2.

Comment: Re:Best to pretend you don't have the PhD... (Score 2) 471

by DoofusOfDeath (#47976499) Attached to: Ask Slashdot: Finding a Job After Completing Computer Science Ph.D?

This was my experience as well. I have lots of experience, but I decided to get a PhD both to scratch a personal itch and to maybe open some employment doors.

What I found was that it did open a few particular doors, including for my current job which I'm really enjoying.

However, the number of doors open, compared to if I'd just stopped at a Master's degree, is probably lower. Especially if you consider the years I was working on my PhD rather than keeping up with the latest buzzword-bingo skills.

I guess I had to learn the lesson the hard way, despite some pretty clear warnings: unless you're going for a career in academia or research, you're better off stopping at a masters.

Work continues in this area. -- DEC's SPR-Answering-Automaton